RSA 2018: Untangling the enterprise security mess

You have a ton of data, a ton of sensors and a ton of security applications. Now how do you keep track of it all, and spot correlated threats? RSA 2018 is the year of unified threat visibility and management.

As data have exploded in size, complexity and importance, so have the accompanying company budgets required to keep it all secure – in a desperate attempt not to make headlines by being the next hack victim. And the type of data to be analyzed now spans the endpoint, network, and servers, all the way to perimeter defense.

It used to be enough to protect endpoints and have a firewall. With today’s threats, there is a need to rapidly triage and escalate serious events to avoid the headline that says you’ve been hacked for six months and didn’t know it – an all-too-common occurrence.

But these pools of data are very different in nature and in structure. Network defenders, for example, try to monitor and detect threats as they attempt to pass by on the wire (or wireless), and attempt to find the proverbial needle in a haystack, which in and of itself is difficult and data-intensive. In a busy environment, a network packet capture might be terabytes in size every couple of hours. So triaging and dumping excess data, all in real time, is daunting.

The second pool of data is fed by the endpoints distributed across the network, which again have different structure and nature, and represents an entirely different (but related) threat vector.

Then, of course, it is useful to know what is the availability of network and host resources to determine if a threat has compromised a segment of the enterprise. This availability sensing takes on a different structure and nature than the other data pools, because the system health of the enterprise itself can cause false triggers that suggest or imitate a breach of some sort.

The answer seems to be to aggregate everything, from logs to network data to whatever other indicators you can find. But after you aggregate everything, there is a Herculean task to turn giant piles of data into intelligence. That is the question people hope to solve here at RSA 2018 – what to do with it all in a way that allows you to act on threats quickly?

Big data has part of the answer – deploying clusters of machines that can scale and ingest the data. But searching unstructured data and turning them into usable information is another layer to the equation, aided by devices that can normalize and de-clutter extraneous piles of pseudo-nonsense and present it as more useful, pruned intel.

The next layer is the reporting layer, whereby the pruned data are presented in a human-digestible format that IT staff can actually do something with. All this at the rapidly escalating pace that represents steep data growth in your organization.

It is no wonder folks here at RSA are looking to find a single pane of glass that can aggregate and process staggering volumes of data generated in the modern enterprise. And many folks here claim to have the answer.

In the end, the success of enterprise threat management will be determined by the speed, scalability, interoperability, and visibility that can be brought to bear on modern threats. No pressure.